Toto je starší verze dokumentu!
See also a page with general information about eduID.cz WAYF/DS.
Without any configuration, WAYF shows all the IdPs available in the federation the SP belongs to. It is possible to define a list of IdPs to be shown making use of one of the two parameters – either filter attribute or efilter attribute.
Using filter attribute leads to a direct filter. In this case the list of IdPs to show is defined as a value in filter parameter.
Example of a direct filter:
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
Using efilter attribute leads to an external filter. In this case the list of IdPs to show is defined in a file at a URL linked in efilter parameter.
Example of an external filter:
efilter=www.example.com/filter
Content of www.example.com/filter
:
eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
efilter approach is a solution for HTTP servers limiting HTTP GET parameters such as Suhosin extension for PHP language allowing only 255 characters at a maximum.
A filter generator is available at https://ds.eduid.cz/filter.php.
In order for WAYF to display all the IdPs in a particular federation, just select the appropriate checkbox next to the corresponding federation name. It is possible to choose more federations at once.
Should only particular IdPs be shown in WAYF, one might select just a few IdPs. It does not matter which federation the desired IdPs are coming from.
For users from organizations not participating in any federation a „Hostel“ Identity Provider is available. Clicking „Use Hostel IdP“ enables this Identity Provider where any user might create an account for free. If the Service Provider is not configured to accept Hostel, logging in using Hostel IdP is not available. Clicking „Allow Hostel registration“ enables users to create an account at Hostel IdP first.
Example of a direct filter with Hostel IdP enabled (without account registration):
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
Example of a direct filter with Hostel IdP enabled (with account registration):
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogdHJ1ZX0=
WAYF supports sites where login is required as well as sites where login is optional (= lazy sessions).
In the following configuration example, a user is redirected to WAYF prior displaying the accessed web page in order to select home organization and login.
Alter <SSO>
element in shibboleth2.xml
configuration file accordingly.
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&lang=en"> SAML2 SAML1 </SSO>
First, the <SSO>
element in shibboleth2.xml
configuration file has to be set as in previous section.
Second, the following <script>
element has to be inserted in to the page <head>
element where lazy sessions are desired.
<head> <!-- another HTML elements --> <script type="text/javascript" src="https://ds.eduid.cz/ds.js"></script> <!-- another HTML elements --> </head>
The session initiator URL is set to /Shibboleth.sso/Login
by default, so the login link in a web page might look like the following code:
<a href="/Shibboleth.sso/Login" onclick="startOverlay(event)">Log in</a>
For SimpleSAMLphp, WAYF configuration is set in authsources.php
configuration file.
Example of configuration file authsources.php
:
'default-sp' => array( 'saml:SP', 'entityID' => 'https://sp.example.com/simplesaml/', 'idp' => NULL, 'discoURL' => 'https://ds.eduid.cz/wayf.php', 'privatekey' => 'example.key' ),
And the login link in the web page might look like the following.
<a href="/simplesaml/module.php/core/authenticate.php" onclick="startOverlay(event)">Log in</a>
CESNET, z. s. p. o.
Generála Píky 26
16000 Praha 6
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
support@cesnet.cz